Secure publishing of data to DMZ using virtual hard drives

US 8,601,124 B2
Filed: 06/25/2007
Issued: 12/03/2013
Est. Priority Date: 06/25/2007
Status: Active Grant

First Claim

Patent Images

1. A method for secure publishing of data from a first physical computer to a DMZ resident virtual computer hosted on a second physical computer using a virtual hard disk, the method comprising:

storing a data file in memory on the first physical computer, the first physical computer being coupled to a first network, the data file containing data;

transferring the data to the DMZ resident virtual computer hosted on the second physical computer as a virtual hard disk on the second physical computer, via a first network interface card (NIC) coupled to the second physical computer and to the first network and not to a second network,the second physical computer having an operating system configured to be unable to communicate using a second NIC, andthe DMZ resident virtual computer having a root partition configured in a manner that limits devices seen by the root partition and disables communication of the DMZ resident virtual computer with the first NIC based on the limited devices seen by the root partition;

detecting presence of the virtual hard disk by the DMZ resident virtual computer;

mounting of the virtual hard disk by the DMZ resident virtual computer; and

publishing the data to the second network via the second NIC.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure DMZ-resident computer that cannot connect to the internal network while allowing data to be transferred to and from the DMZ-resident computer is disclosed. The mechanism may include the transference of virtual hard disk files between the internal network and the DMZ host computer. The DMZ host computer may be configured with two network interface cards (“NICs”). One NIC may be connected to the DMZ network. The other NIC may be connected to the internal network. The virtual machines are connected only to the DMZ NIC. The physical host communicates only with the internal network NIC. When it is necessary to publish data to the DMZ-resident computer, a virtual hard disk file may be copied to the DMZ host over the internal network NIC. The DMZ resident virtual computer simply detects the presence of the new drive and mounts it.

12 Citations

20 Claims

1. A method for secure publishing of data from a first physical computer to a DMZ resident virtual computer hosted on a second physical computer using a virtual hard disk, the method comprising:
- storing a data file in memory on the first physical computer, the first physical computer being coupled to a first network, the data file containing data;
  
  transferring the data to the DMZ resident virtual computer hosted on the second physical computer as a virtual hard disk on the second physical computer, via a first network interface card (NIC) coupled to the second physical computer and to the first network and not to a second network,the second physical computer having an operating system configured to be unable to communicate using a second NIC, andthe DMZ resident virtual computer having a root partition configured in a manner that limits devices seen by the root partition and disables communication of the DMZ resident virtual computer with the first NIC based on the limited devices seen by the root partition;
  
  detecting presence of the virtual hard disk by the DMZ resident virtual computer;
  
  mounting of the virtual hard disk by the DMZ resident virtual computer; and
  
  publishing the data to the second network via the second NIC.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first NIC and the second NIC are installed onto a host server.
  - 3. The method of claim 2, wherein the host server is operational to execute the virtual computer thereon, and wherein the virtual hard disk is associated with the virtual computer executing on the host server.
  - 4. The method of claim 3, wherein the host server has an operating system that is operational to communicate onto the first network and not to communicate onto the second network, and the virtual computer is operational to communicate onto the second network, and not to communicate onto the first network.
  - 5. The method of claim 1, further comprising creating the virtual hard disk as a new virtual hard disk on the second physical computer.
  - 6. The method of claim 5, wherein transferring the data comprises a virtual machine management server causing the virtual hard disk to be created on the second physical computer.
  - 7. The method of claim 6, wherein the virtual machine management server causes the new virtual hard disk to be added on a virtual SCSI controller on the second physical computer.
  - 8. The method of claim 1, wherein the first network is an intranet.
  - 9. The method of claim 8, wherein the second network is the Internet.
  - 10. The method of claim 1, wherein transferring the data comprises exploiting similarities between the data and a second data file on the second physical computer.
  - 11. The method of claim 10, wherein exploiting the similarities comprises using remote differential compression to compare signatures associated with corresponding blocks of data from the data file and the second data file.

12. A system for secure publishing of data to DMZ using a virtual hard drive, the system comprising:
- a content server in communication with an intranet; and
  
  a DMZ host server comprising an intranet-facing network interface card (NIC) via which the DMZ host server is enabled to communicate over the intranet with the content server, and an Internet-facing NIC via which the DMZ host server is enabled to communicate over the Internet, the DMZ host server hosting a virtual computer,the virtual computer having a root partition configured in a manner that limits devices seen by the root partition and disables the communication of the virtual computer with the intranet-facing NIC based on the limited devices seen by the root partition and configured to communicate over the Internet using the Internet-facing NIC,the virtual computer detecting presence of the virtual hard disk,the virtual computer mounting the virtual hard disk,the data published to the intranet network via the intranet-facing NIC, andthe DMZ host server having an operating system that is configured to lack access to the Internet-facing NIC.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the DMZ host server operating system is unable to communicate over the Internet via the Internet-facing NIC.
  - 14. The system of claim 13, further comprising a virtual computer running on the DMZ host server, wherein the virtual computer is enabled to communicate over the Internet via the Internet-facing NIC.
  - 15. The system of claim 14, wherein the virtual computer is unable to communicate over the intranet via the intranet-facing NIC.
  - 16. The system of claim 15, further comprising a virtual machine management server that is adapted to create a virtual hard drive on the DMZ host server, and to cause content of a data file to be transferred from the content server onto the virtual hard drive via the intranet-facing NIC.
  - 17. The system of claim 16, wherein the virtual computer is adapted to publish the contents of the virtual hard drive onto the Internet via the Internet-facing NIC.

18. A physical device comprising:
- a DMZ resident virtual computer hosted on the physical device;
  
  a processor; and
  
  a memory coupled to the processor, the memory having stored thereon executable instructions that when executed by the processor cause the processor to effectuate operations comprising;
  
  receiving data on the physical device as a virtual hard disk via a first network interface card (NIC) coupled to the physical device and to a first network and not to a second network, second physical computer having an operating system configured to be unable to communicate using a second NIC, and the virtual machine having a root partition configured in a manner that limits devices seen by the root partition and disables communication of the DMZ resident virtual computer with the first NIC based on the limited devices seen by the root partition;
  
  detecting presence of the virtual hard disk by the DMZ resident virtual computer;
  
  mounting of the virtual hard disk by the DMZ resident virtual computer; and
  
  publishing the data to the second network via the second NIC.
- View Dependent Claims (19, 20)
- - 19. The physical device of claim 18, wherein the first network is an intranet.
  - 20. The physical device of claim 18, wherein the second network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Fries, Robert M.
Primary Examiner(s)
Shin, Kyung H

Application Number

US11/768,039
Publication Number

US 20080320127A1
Time in Patent Office

2,353 Days
Field of Search

709/224, 709/225, 370/392, 713/182
US Class Current

709/225
CPC Class Codes

H04L 63/0209 Architectural arrangements,...

H04L 67/06 specially adapted for file ...

Secure publishing of data to DMZ using virtual hard drives

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure publishing of data to DMZ using virtual hard drives

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links